Total
52 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-23387 | 1 Fusionpbx | 1 Fusionpbx | 2025-05-30 | N/A | 4.8 MEDIUM |
|
FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product.
|
|||||
| CVE-2024-24539 | 1 Fusionpbx | 1 Fusionpbx | 2025-05-23 | N/A | 5.3 MEDIUM |
|
FusionPBX before 5.2.0 does not validate a session.
|
|||||
| CVE-2022-35153 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | N/A | 9.8 CRITICAL |
|
FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php.
|
|||||
| CVE-2022-28055 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function.
|
|||||
| CVE-2021-43406 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An issue was discovered in FusionPBX before 4.5.30. The fax_post_size may have risky characters (it is not constrained to preset values).
|
|||||
| CVE-2021-43405 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An issue was discovered in FusionPBX before 4.5.30. The fax_extension may have risky characters (it is not constrained to be numeric).
|
|||||
| CVE-2021-43404 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An issue was discovered in FusionPBX before 4.5.30. The FAX file name may have risky characters.
|
|||||
| CVE-2021-43403 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | N/A | 6.5 MEDIUM |
|
An issue was discovered in FusionPBX before 4.5.30. The log_viewer.php Log View page allows an authenticated user to choose an arbitrary filename for download (i.e., not necessarily freeswitch.log in the intended directory).
|
|||||
| CVE-2021-37524 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php.
|
|||||
| CVE-2020-21057 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Directory Traversal vulnerability in FusionPBX 4.5.7, which allows a remote malicious user to delete folders on the system via the folder variable to app/edit/folderdelete.php.
|
|||||
| CVE-2020-21056 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Directory Traversal vulnerability exists in FusionPBX 4.5.7, which allows a remote malicious user to create folders via the folder variale to app\edit\foldernew.php.
|
|||||
| CVE-2020-21055 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A Directory Traversal vulnerability exists in FusionPBX 4.5.7 allows malicoius users to rename any file of the system.via the (1) folder, (2) filename, and (3) newfilename variables in app\edit\filerename.php.
|
|||||
| CVE-2020-21054 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "f" variable in app\vars\vars_textarea.php.
|
|||||
| CVE-2020-21053 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross Site Scriptiong (XSS) vulnerability exists in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "query_string" variable in app\devices\device_imports.php.
|
|||||
| CVE-2019-19388 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter.
|
|||||
| CVE-2019-19387 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter.
|
|||||
| CVE-2019-19386 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter.
|
|||||
| CVE-2019-19385 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter.
|
|||||
| CVE-2019-19384 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter.
|
|||||
| CVE-2019-19367 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
|
|||||
| CVE-2019-19366 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_search.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.
|
|||||
| CVE-2019-16991 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.
|
|||||
| CVE-2019-16990 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it.
|
|||||
| CVE-2019-16989 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
|
|||||
| CVE-2019-16988 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
|
|||||
| CVE-2019-16987 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
|
|||||
| CVE-2019-16986 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)
|
|||||
| CVE-2019-16985 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 8.5 HIGH | 6.5 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.
|
|||||
| CVE-2019-16984 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS.
|
|||||
| CVE-2019-16983 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS.
|
|||||
| CVE-2019-16982 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
|
|||||
| CVE-2019-16981 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
|
|||||
| CVE-2019-16980 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection.
|
|||||
| CVE-2019-16979 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
|
|||||
| CVE-2019-16978 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
|
|||||
| CVE-2019-16977 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
|
|||||
| CVE-2019-16976 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to 4.5.7, the file app\destinations\destination_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
|
|||||
| CVE-2019-16975 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to 4.5.7, the file app\contacts\contact_notes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
|
|||||
| CVE-2019-16974 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
|
|||||
| CVE-2019-16973 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
|
|||||